Ale Fanjul

**Name of the Vulnerable Software and Affected Versions** LG SuperSign CMS (affected versions not specified) **Description** The issue allows authentication bypass. This is possible because the CAPTCHA requirement can be skipped by sending a `captcha:pass` cookie. Additionally, the PIN is limited to four digits, which may facilitate unauthorized access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LG SuperSign CMS (affected versions not specified) **Description** The issue concerns a file upload vulnerability. It allows file upload via `/signEzUI/playlist/edit/upload/..%2f` URIs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LG SuperSign CMS (affected versions not specified) **Description** The issue allows LG TVs to be rebooted remotely without authentication. This can be achieved by sending a direct HTTP request to the /qsr server/device/reboot API endpoint on port 9080. **Recommendations** For LG SuperSign CMS, as a temporary workaround, consider restricting access to the /qsr server/device/reboot API endpoint on port 9080 until a patch is available.